401 based authentication
With 401 based Authentication, the NetScaler appliance presents a pop-up dialog box to the end user.
Form based AAA-TM works on the redirect messages. Some applications do not support redirects, in such cases the 401 authentication enabled AAA-TM is used.
Enable the following parameters for 401 Authentication AAA-TM to work.
-
‘authnVsName’ parameter value for the load balancing virtual server must be the name of the authentication virtual server to be used to authenticate users.
-
‘authn401’ parameter must be enabled. The command for configuring the same is as follows:
set lb vs lb1 –authn401 on –authnvsName <aaavs-name>
The following steps walk through how the 401 Authentication works:
-
User tries to access a particular URL using the load balancing virtual server.
- The load balancing virtual server sends a 401 HTTP response back to the user indicating that authentication is required for the access.
- The user sends its credentials to the load balancing virtual server in the authorization header.
-
The load balancing virtual server authenticates the user and then connects the user to the back end servers.
Important:
For a load balancing virtual server with 401 authentication ON, several authentication and authorization sessions might be created for the same user in a short time. This configuration might lead to a spike in the memory. You can apply the following configuration on the NetScaler appliance to debug and identify the end client application.
set syslogparams -userDefinedAuditlog yes
add audit messageaction 401_log_act InFORMATIONAL '"LB-401 accessed: User: <" + AAA.USER.NAME + "> SessionID <"+ AAA.USER.SESSIONID + "> Client :<" + CLIENT.IP.SRC + "> accessed URL: <" + HTTP.REQ.URL + ">"'
add rewritepolicy rewrite_401_log true NOREWRITE -logAction 401_log_act
bind lb vserver <lb_name> -policyName rewrite_401_log -priority 100 -type reqUEST
<!--NeedCopy-->